Common Weakness Enumeration

CWE-61

Allowed

UNIX Symbolic Link (Symlink) Following

Abstraction: Compound · Status: Incomplete

The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.

270 vulnerabilities reference this CWE, most recent first.

GHSA-Q3JC-42CQ-33FJ

Vulnerability from github – Published: 2026-06-26 00:32 – Updated: 2026-06-26 00:32
VLAI
Details

A flaw was found in KubeVirt's virt-handler network cache handling. The WriteToCachedFile function writes data to a launcher-rooted path using os.WriteFile and os.Chown without symlink protection. A user with access to the virt-launcher container can plant a symlink at the cache file path, causing virt-handler to follow it and overwrite an arbitrary host file with JSON content and change its ownership.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-13218"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-61"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-26T00:16:51Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in KubeVirt\u0027s virt-handler network cache handling. The WriteToCachedFile function writes data to a launcher-rooted path using os.WriteFile and os.Chown without symlink protection. A user with access to the virt-launcher container can plant a symlink at the cache file path, causing virt-handler to follow it and overwrite an arbitrary host file with JSON content and change its ownership.",
  "id": "GHSA-q3jc-42cq-33fj",
  "modified": "2026-06-26T00:32:07Z",
  "published": "2026-06-26T00:32:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13218"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-13218"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492654"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q49M-57VM-C8CC

Vulnerability from github – Published: 2026-05-04 19:32 – Updated: 2026-05-14 20:49
VLAI
Summary
Kata Container has CopyFile Policy Subversion via Symlinks
Details

Summary

An oversight in the CopyFile policy (and perhaps the CopyFile handler) allows untrusted hosts to write to arbitrary locations inside the guest workload image. This can be used to overwrite binaries inside the guest and exfiltrate data from containers; even those running inside CVMs.

Details

Here is the policy that covers CopyFile requests.

CopyFileRequest if {
    print("CopyFileRequest: input.path =", input.path)

    check_directory_traversal(input.path)

    some regex1 in policy_data.request_defaults.CopyFileRequest
    regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix)
    regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath)
    regex4 := replace(regex3, "$(bundle-id)", "[a-z0-9]{64}")
    print("CopyFileRequest: regex4 =", regex4)

    regex.match(regex4, input.path)

    print("CopyFileRequest: true")
}

This checks that files are being copied to policy_data.common.cpath, which is typically set to /run/kata-containers/shared/containers. In other words, you're allowed to copy files to anywhere inside the shared dir.

For reference, here is the CopyFile message. Note that none of the other fields are check in the policy.

message CopyFileRequest {
    // Path is the destination file in the guest. It must be absolute,
    // canonical and below /run.
    string path = 1;
    // FileSize is the expected file size, for security reasons write operations
    // are made in a temporary file, once it has the expected size, it's moved
    // to the destination path.
    int64 file_size = 2;
    // FileMode is the file mode.
    uint32 file_mode = 3;
    // DirMode is the mode for the parent directories of destination path.
    uint32 dir_mode = 4;
    // Uid is the numeric user id.
    int32 uid = 5;
    // Gid is the numeric group id.
    int32 gid = 6;
    // Offset for the next write operation.
    int64 offset = 7;
    // Data to write in the destination file.
    bytes data = 8;
}

In addition to copying files directly, the Kata Agent supports creating symlinks via the CopyFile API. In this case the path is the symlink name and the data field contains the symlink target. Given that the policy only checks the path, an attacker can craft a CopyFile request that results in a symlink going from any location into the shared dir.

PoC

The above primitive can be used to to write arbitrary data into container images (pulled in the guest or otherwise). A couple steps are required.

First, identify some target path in the guest image. This could be a binary that will be called by the workload. You could also experiment with overwriting other stuff.

Create a symlink from this binary to the shared dir. The path/link name should be in the shared dir and the data/target should point to the path of the target file inside the container image in the guest fs.

Create a second CopyFile request to copy your data from the host into the symlink you just created in the shared dir. This will then be propagated into the image. You may want to restart the container to ensure that your new binary is invoked.

Impact

Anyone who is using the upstream genpolicy implementation and expects it to prevent host access to container images is vulnerable This includes Confidential Containers workloads where the trust model explicitly forbids this type of access. If you have your own policy implementation you may or may not be vulnerable. If you do not care about protecting the image from the host (e.g. you are using unprotected host pull), you are not vulnerable.

This was individually discovered and reported by

  • @calonso-nv
  • @fikriwahab
  • @kodareef5
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/kata-containers/kata-containers"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260422180503-1b9e49eb2763"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41326"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-61"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-04T19:32:20Z",
    "nvd_published_at": "2026-04-24T19:17:12Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nAn oversight in the CopyFile policy (and perhaps the CopyFile handler) allows untrusted hosts to write to arbitrary locations inside the guest workload image. This can be used to overwrite binaries inside the guest and exfiltrate data from containers; even those running inside CVMs.\n\n### Details\nHere is the policy that covers CopyFile requests.\n```\nCopyFileRequest if {\n    print(\"CopyFileRequest: input.path =\", input.path)\n        \n    check_directory_traversal(input.path)\n        \n    some regex1 in policy_data.request_defaults.CopyFileRequest\n    regex2 := replace(regex1, \"$(sfprefix)\", policy_data.common.sfprefix)\n    regex3 := replace(regex2, \"$(cpath)\", policy_data.common.cpath)\n    regex4 := replace(regex3, \"$(bundle-id)\", \"[a-z0-9]{64}\")\n    print(\"CopyFileRequest: regex4 =\", regex4)\n    \n    regex.match(regex4, input.path)\n      \n    print(\"CopyFileRequest: true\")\n}\n```\nThis checks that files are being copied to `policy_data.common.cpath`, which is typically set to `/run/kata-containers/shared/containers`. In other words, you\u0027re allowed to copy files to anywhere inside the shared dir.\n\nFor reference, here is the CopyFile message. Note that none of the other fields are check in the policy.\n```\nmessage CopyFileRequest {\n\t// Path is the destination file in the guest. It must be absolute,\n\t// canonical and below /run.\n\tstring path = 1;\n\t// FileSize is the expected file size, for security reasons write operations\n\t// are made in a temporary file, once it has the expected size, it\u0027s moved\n\t// to the destination path.\n\tint64 file_size = 2;\n\t// FileMode is the file mode.\n\tuint32 file_mode = 3;\n\t// DirMode is the mode for the parent directories of destination path.\n\tuint32 dir_mode = 4;\n\t// Uid is the numeric user id.\n\tint32 uid = 5;\n\t// Gid is the numeric group id.\n\tint32 gid = 6;\n\t// Offset for the next write operation.\n\tint64 offset = 7;\n\t// Data to write in the destination file.\n\tbytes data = 8;\n}\n```\n\nIn addition to copying files directly, the Kata Agent supports creating symlinks via the CopyFile API. In this case the `path` is the symlink name and the `data` field contains the symlink target. Given that the policy only checks the path, an attacker can craft a CopyFile request that results in a symlink going from any location into the shared dir.\n\n### PoC\nThe above primitive can be used to to write arbitrary data into container images (pulled in the guest or otherwise). A couple steps are required.\n\nFirst, identify some target path in the guest image. This could be a binary that will be called by the workload. You could also experiment with overwriting other stuff.\n\nCreate a symlink from this binary to the shared dir. The path/link name should be in the shared dir and the data/target should point to the path of the target file inside the container image in the guest fs.\n\nCreate a second CopyFile request to copy your data from the host into the symlink you just created in the shared dir. This will then be propagated into the image. You may want to restart the container to ensure that your new binary is invoked.\n\n### Impact\nAnyone who is using the upstream `genpolicy` implementation and expects it to prevent host access to container images is vulnerable This includes Confidential Containers workloads where the trust model explicitly forbids this type of access. If you have your own policy implementation you may or may not be vulnerable. If you do not care about protecting the image from the host (e.g. you are using unprotected host pull), you are not vulnerable.\n\nThis was individually discovered and reported by\n\n- @calonso-nv \n- @fikriwahab\n- @kodareef5",
  "id": "GHSA-q49m-57vm-c8cc",
  "modified": "2026-05-14T20:49:51Z",
  "published": "2026-05-04T19:32:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kata-containers/kata-containers/security/advisories/GHSA-q49m-57vm-c8cc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41326"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kata-containers/kata-containers/commit/1b9e49eb2763aa6ea6a99b276d3ff5e2c7f658f2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kata-containers/kata-containers"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/05/13/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Kata Container has CopyFile Policy Subversion via Symlinks"
}

GHSA-Q5XR-H2VQ-97X6

Vulnerability from github – Published: 2025-05-26 18:30 – Updated: 2025-05-27 15:31
VLAI
Details

A UNIX Symbolic Link (Symlink) Following vulnerability in openSUSE Tumbleweed cyrus-imapd allows escalation from cyrus to root.This issue affects openSUSE Tumbleweed cyrus-imapd before 3.8.4-2.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-23394"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-61"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-26T16:15:20Z",
    "severity": "CRITICAL"
  },
  "details": "A UNIX Symbolic Link (Symlink) Following vulnerability in openSUSE Tumbleweed cyrus-imapd allows escalation from cyrus to root.This issue affects openSUSE Tumbleweed  cyrus-imapd before 3.8.4-2.1.",
  "id": "GHSA-q5xr-h2vq-97x6",
  "modified": "2025-05-27T15:31:25Z",
  "published": "2025-05-26T18:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23394"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-23394"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q9VP-3WCG-8P4X

Vulnerability from github – Published: 2026-03-27 17:09 – Updated: 2026-03-27 17:09
VLAI
Summary
Incus vulnerable to local privilege escalation through VM screenshot path
Details

Summary

Incus provides an API to retrieve VM screenshots, that API relies on the use of a temporary file for QEMU to write the screenshot to which is then picked up and sent to the user prior to deletion.

As Incus uses predictable paths under /tmp for this, an attacker with local access to the system can abuse this mechanism by creating their own symlinks ahead of time.

On the vast majority of Linux systems, this will result in a "Permission denied" error when requesting a screenshot. That's because the Linux kernel has a security feature designed to block such attacks, protected_symlinks.

On the rare systems with this purposefully disabled, it's then possible to trick Incus intro truncating and altering the mode and permissions of arbitrary files on the filesystem, leading to a potential denial of service or possible local privilege escalation.

Details

The incusd daemon contains a local privilege escalation (LPE) primitive in the Virtual Machine VGA screenshot handling routine. When a screenshot is requested, the daemon creates a file in the globally writable /tmp directory using a deterministic pathname derived from the instance identifier. Because this implementation uses a predictable pathname in a world-writable directory, it exposes the operation to pathname attacks. The file permissions are then restricted, and the file is passed to the QEMU screenshot routine. In the QEMU path, ownership is transferred to the unprivileged Virtual Machine UID before the QEMU Machine Protocol is invoked with the same pathname.

An attacker able to pre-place or otherwise control that pathname can redirect truncation and ownership changes to an unintended host file.

This allows attacker-chosen host files to be truncated and have ownership reassigned to the unprivileged VM UID. In practice, this can be used to destroy sensitive root-owned files and alter ownership of security-relevant host paths. Depending on the targeted path and follow-up conditions, the impact may include denial of service, corruption of credentials or configuration, persistence through modified startup or service files, and further privilege escalation on the host.

As previously mentioned, this is only possible if the kernel protection mechanism has been previously disabled. It's possible to check on its status by reading the file at /proc/sys/fs/protected_symlinks, a value of 0 is required for this attack to work.

Affected File: https://github.com/lxc/incus/blob/v6.20.0/cmd/incusd/instance_console.go

Affected Code:

func instanceConsoleGet(d *Daemon, r *http.Request) response.Response {
    [...]
    } else if inst.Type() == instancetype.VM {
        v, ok := inst.(instance.VM)
        if !ok {
            return response.SmartError(errors.New("Failed to cast inst to VM"))
        }

        var headers map[string]string
        if consoleLogType == "vga" {
            screenshotFile, err := os.Create(fmt.Sprintf("/tmp/incus_screenshot_%d", inst.ID()))
            if err != nil {
                return response.SmartError(fmt.Errorf("Couldn't create screenshot file: %w", err))
            }

            err = screenshotFile.Chmod(0o600)
            if err != nil {
                return response.SmartError(err)
            }

            ent.Cleanup = func() {
                _ = screenshotFile.Close()
                _ = os.Remove(screenshotFile.Name())
            }

            err = v.ConsoleScreenshot(screenshotFile)
            if err != nil {
                return response.SmartError(err)
            }
            [...]
    }
    [...]
}

Affected File: https://github.com/lxc/incus/blob/v6.20.0/internal/server/instance/drivers/driver_qemu.go

Affected Code:

func (d *qemu) ConsoleScreenshot(screenshotFile *os.File) error {
    if !d.IsRunning() {
        return errors.New("Instance is not running")
    }


    // Check if the agent is running.
    monitor, err := d.qmpConnect()
    if err != nil {
        return err
    }

    err = screenshotFile.Chown(int(d.state.OS.UnprivUID), -1)
    if err != nil {
        return fmt.Errorf("Failed to chown screenshot path: %w", err)
    }


    // Take the screenshot.
    err = monitor.Screendump(screenshotFile.Name())
    if err != nil {
        return fmt.Errorf("Failed taking screenshot: %w", err)
    }

    return nil
}

PoC

The following PoC demonstrates that a local attacker can pre-place symlink traps in the predictable /tmp/incus_screenshot_ namespace and coerce the root incusd daemon into truncating an unintended host file and reassigning its ownership during a VM VGA screenshot request.

Step 0: Disable the kernel symlink protection mechanism

Commands (as root):

echo 0 > /proc/sys/fs/protected_symlinks

Step 1: Prepare the target VM

From an Incus client with access to the target server, ensure a running virtual machine exists that can service the VGA screenshot path.

Commands:

incus init images:alpine/edge lpe-vm --vm --project default
incus config set lpe-vm security.secureboot=false --project default
incus start lpe-vm --project default

Step 2: Create a root-owned trap target and pre-place /tmp symlinks

On the Incus host, create a sensitive root-owned file and place symlinks across a range of likely screenshot identifiers so that the predictable daemon pathname resolves to the chosen host target.

Commands:

echo "SuperSecretRootHash" > /root/shadow_trap
chmod 600 /root/shadow_trap
ls -l /root/shadow_trap


for i in $(seq 1 100); do
    ln -sf /root/shadow_trap /tmp/incus_screenshot_$i
done

ls -l /tmp/incus_screenshot_* | head

Result:

-rw------- 1 root root 20 Mar 18 00:27 /root/shadow_trap

Step 3: Trigger the vulnerable screenshot path

From an Incus client with access to the target server, request the VM VGA console through the Incus API. This causes the daemon to open the predictable /tmp/incus_screenshot_ path, change its ownership, and pass the same pathname into the QEMU screendump flow.

Command:

incus query -X GET "/1.0/instances/lpe-vm/console?project=default&type=vga" > /dev/null

Result:

Error: Failed taking screenshot: Failed to connect to QEMU monitor

Step 4: Verify host-side impact

On the Incus host, inspect the previously root-owned target file and confirm that it has been truncated and that ownership has been reassigned to the unprivileged VM UID.

Command:

ls -l /root/shadow_trap && stat /root/shadow_trap

Result:

-rw------- 1 incus root 0 Mar 18 00:29 /root/shadow_trap
  File: /root/shadow_trap
  Size: 0
  Access: (0600/-rw-------)
  Uid: ( 100000/   incus)
  Gid: (     0/    root)

It is recommended to create the temporary file securely in a directory controlled exclusively by the daemon, avoid predictable /tmp paths, and avoid reusing a mutable pathname after file creation.

Credit

This issue was discovered and reported by the team at 7asecurity (https://7asecurity.com/)

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/lxc/incus/v6"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.23.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33711"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-61"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-27T17:09:45Z",
    "nvd_published_at": "2026-03-26T23:16:20Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nIncus provides an API to retrieve VM screenshots, that API relies on the use of a temporary file for QEMU to write the screenshot to which is then picked up and sent to the user prior to deletion.\n\nAs Incus uses predictable paths under /tmp for this, an attacker with local access to the system can abuse this mechanism by creating their own symlinks ahead of time.\n\nOn the vast majority of Linux systems, this will result in a \"Permission denied\" error when requesting a screenshot. That\u0027s because the Linux kernel has a security feature designed to block such attacks, `protected_symlinks`.\n\nOn the rare systems with this purposefully disabled, it\u0027s then possible to trick Incus intro truncating and altering the mode and permissions of arbitrary files on the filesystem, leading to a potential denial of service or possible local privilege escalation.\n\n### Details\nThe incusd daemon contains a local privilege escalation (LPE) primitive in the Virtual Machine VGA screenshot handling routine. When a screenshot is requested, the daemon creates a file in the globally writable /tmp directory using a deterministic pathname derived from the instance identifier. Because this implementation uses a predictable pathname in a world-writable directory, it exposes the operation to pathname attacks. The file permissions are then restricted, and the file is passed to the QEMU screenshot routine. In the QEMU path, ownership is transferred to the unprivileged Virtual Machine UID before the QEMU Machine Protocol is invoked with the same pathname.\n\nAn attacker able to pre-place or otherwise control that pathname can redirect truncation and ownership changes to an unintended host file.\n\nThis allows attacker-chosen host files to be truncated and have ownership reassigned to the unprivileged VM UID. In practice, this can be used to destroy sensitive root-owned files and alter ownership of security-relevant host paths. Depending on the targeted path and follow-up conditions, the impact may include denial of service, corruption of credentials or configuration, persistence through modified startup or service files, and further privilege escalation on the host.\n\nAs previously mentioned, this is only possible if the kernel protection mechanism has been previously disabled.\nIt\u0027s possible to check on its status by reading the file at `/proc/sys/fs/protected_symlinks`, a value of 0 is required for this attack to work.\n\nAffected File:\nhttps://github.com/lxc/incus/blob/v6.20.0/cmd/incusd/instance_console.go \n\nAffected Code:\n```go\nfunc instanceConsoleGet(d *Daemon, r *http.Request) response.Response {\n    [...]\n    } else if inst.Type() == instancetype.VM {\n        v, ok := inst.(instance.VM)\n        if !ok {\n            return response.SmartError(errors.New(\"Failed to cast inst to VM\"))\n        }\n\n        var headers map[string]string\n        if consoleLogType == \"vga\" {\n            screenshotFile, err := os.Create(fmt.Sprintf(\"/tmp/incus_screenshot_%d\", inst.ID()))\n            if err != nil {\n                return response.SmartError(fmt.Errorf(\"Couldn\u0027t create screenshot file: %w\", err))\n            }\n\n            err = screenshotFile.Chmod(0o600)\n            if err != nil {\n                return response.SmartError(err)\n            }\n\n            ent.Cleanup = func() {\n                _ = screenshotFile.Close()\n                _ = os.Remove(screenshotFile.Name())\n            }\n\n            err = v.ConsoleScreenshot(screenshotFile)\n            if err != nil {\n                return response.SmartError(err)\n            }\n            [...]\n    }\n    [...]\n}\n```\n\nAffected File:\nhttps://github.com/lxc/incus/blob/v6.20.0/internal/server/instance/drivers/driver_qemu.go \n\nAffected Code:\n```go\nfunc (d *qemu) ConsoleScreenshot(screenshotFile *os.File) error {\n    if !d.IsRunning() {\n        return errors.New(\"Instance is not running\")\n    }\n\n\n    // Check if the agent is running.\n    monitor, err := d.qmpConnect()\n    if err != nil {\n        return err\n    }\n\n    err = screenshotFile.Chown(int(d.state.OS.UnprivUID), -1)\n    if err != nil {\n        return fmt.Errorf(\"Failed to chown screenshot path: %w\", err)\n    }\n\n\n    // Take the screenshot.\n    err = monitor.Screendump(screenshotFile.Name())\n    if err != nil {\n        return fmt.Errorf(\"Failed taking screenshot: %w\", err)\n    }\n\n    return nil\n}\n```\n\n### PoC\nThe following PoC demonstrates that a local attacker can pre-place symlink traps in the predictable /tmp/incus_screenshot_\u003cID\u003e namespace and coerce the root incusd daemon into truncating an unintended host file and reassigning its ownership during a VM VGA screenshot request.\n\nStep 0: Disable the kernel symlink protection mechanism\n\nCommands (as root):\n```\necho 0 \u003e /proc/sys/fs/protected_symlinks\n```\n\nStep 1: Prepare the target VM\n\nFrom an Incus client with access to the target server, ensure a running virtual machine exists that can service the VGA screenshot path.\n\nCommands:\n```\nincus init images:alpine/edge lpe-vm --vm --project default\nincus config set lpe-vm security.secureboot=false --project default\nincus start lpe-vm --project default\n```\n\nStep 2: Create a root-owned trap target and pre-place /tmp symlinks\n\nOn the Incus host, create a sensitive root-owned file and place symlinks across a range of likely screenshot identifiers so that the predictable daemon pathname resolves to the chosen host target.\n\nCommands:\n```\necho \"SuperSecretRootHash\" \u003e /root/shadow_trap\nchmod 600 /root/shadow_trap\nls -l /root/shadow_trap\n\n\nfor i in $(seq 1 100); do\n    ln -sf /root/shadow_trap /tmp/incus_screenshot_$i\ndone\n\nls -l /tmp/incus_screenshot_* | head\n```\n\nResult:\n```\n-rw------- 1 root root 20 Mar 18 00:27 /root/shadow_trap\n```\n\nStep 3: Trigger the vulnerable screenshot path\n\nFrom an Incus client with access to the target server, request the VM VGA console through the Incus API. This causes the daemon to open the predictable /tmp/incus_screenshot_\u003cID\u003e path, change its ownership, and pass the same pathname into the QEMU screendump flow.\n\n\nCommand:\n```\nincus query -X GET \"/1.0/instances/lpe-vm/console?project=default\u0026type=vga\" \u003e /dev/null\n```\n\nResult:\n```\nError: Failed taking screenshot: Failed to connect to QEMU monitor\n```\n\nStep 4: Verify host-side impact\n\nOn the Incus host, inspect the previously root-owned target file and confirm that it has been truncated and that ownership has been reassigned to the unprivileged VM UID.\n\nCommand:\n```\nls -l /root/shadow_trap \u0026\u0026 stat /root/shadow_trap\n```\n\nResult:\n```\n-rw------- 1 incus root 0 Mar 18 00:29 /root/shadow_trap\n  File: /root/shadow_trap\n  Size: 0\n  Access: (0600/-rw-------)\n  Uid: ( 100000/   incus)\n  Gid: (     0/    root)\n```\n\nIt is recommended to create the temporary file securely in a directory controlled exclusively by the daemon, avoid predictable /tmp paths, and avoid reusing a mutable pathname after file creation.\n\n### Credit\nThis issue was discovered and reported by the team at 7asecurity (https://7asecurity.com/)",
  "id": "GHSA-q9vp-3wcg-8p4x",
  "modified": "2026-03-27T17:09:45Z",
  "published": "2026-03-27T17:09:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lxc/incus/security/advisories/GHSA-q9vp-3wcg-8p4x"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33711"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lxc/incus/commit/ef006240ac2475ddea7b8406cecc7dbd1a883fdf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lxc/incus"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lxc/incus/releases/tag/v6.23.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Incus vulnerable to local privilege escalation through VM screenshot path"
}

GHSA-QC2Q-HWC8-26RV

Vulnerability from github – Published: 2025-02-28 00:30 – Updated: 2025-02-28 00:30
VLAI
Details

Arbitrary file overwrite during home directory recovery due to improper symbolic link handling. The following products are affected: Acronis Backup plugin for cPanel & WHM (Linux) before build 1.8.4.866, Acronis Backup plugin for cPanel & WHM (Linux) before build 1.9.1.892, Acronis Backup extension for Plesk (Linux) before build 1.8.7.615.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-24832"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-61"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-27T23:15:37Z",
    "severity": "MODERATE"
  },
  "details": "Arbitrary file overwrite during home directory recovery due to improper symbolic link handling. The following products are affected: Acronis Backup plugin for cPanel \u0026 WHM (Linux) before build 1.8.4.866, Acronis Backup plugin for cPanel \u0026 WHM (Linux) before build 1.9.1.892, Acronis Backup extension for Plesk (Linux) before build 1.8.7.615.",
  "id": "GHSA-qc2q-hwc8-26rv",
  "modified": "2025-02-28T00:30:52Z",
  "published": "2025-02-28T00:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24832"
    },
    {
      "type": "WEB",
      "url": "https://security-advisory.acronis.com/advisories/SEC-7649"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QW9X-CQR3-WC7R

Vulnerability from github – Published: 2025-11-05 17:34 – Updated: 2025-11-18 18:37
VLAI
Summary
runc container escape with malicious config due to /dev/console mount and related races
Details

Impact

This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of /dev/pts/$n to /dev/console as configured for all containers that allocate a console).

In runc version 1.0.0-rc3 and later, due to insufficient checks when bind-mounting /dev/pts/$n to /dev/console inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This happens after pivot_root(2), so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of /proc/sysrq-trigger or /proc/sys/kernel/core_pattern (respectively).

The reason that the attacker can gain write access to these files is because the /dev/console bind-mount happens before maskedPaths and readonlyPaths are applied.

Additional Findings

While investigating this issue, runc discovered some other theoretical issues that may or may not be exploitable, as well as taking the opportunity to fix some fairly well-known issues related to consoles.

Issue 1: Problematic Usage of os.Create

Go provides an os.Create function for creating files, which older code in runc (dating back to the original libcontainer from the early 2010s) had a tendency to use fairly liberally. os.Create implies O_CREAT|O_TRUNC but by design it does not apply O_NOFOLLOW nor O_EXCL, meaning if the target is swapped with a malicious symlink runc can be tricked into truncating host files (which can lead to denial of service attacks, among other concerns).

Runc conducted an audit of all os.Create usages in runc and found some suspicious usages related to device inodes, but based on runc's testing these were not exploitable in practice. Runc now has custom code lints to block any os.Create usage in runc, and plan to do a further audit of any other plain os.* operation usage throughout runc after this advisory becomes public.

CVE-2024-45310 was a similar attack but without the O_TRUNC component (which resulted in a "Low" severity) -- a similar attack being exploitable would've been much more severe.

Issue 2: Malicious /dev/pts/$n Inode Attacks (TIOCGPTPEER)

The (very) classic API for constructing consoles involves first opening /dev/ptmx for reading and writing. This allocates a new pseudo-terminal and the returned file descriptor is the "master" end (which is used by higher-level runtimes to do I/O with the container).

Traditionally, in order to get the "slave" end, you do ioctl(ptm, TIOCGPTN) to get the pseudo-terminal number and then open the file in /dev/pts/ with the corresponding base-10 decimal number of the number returned by TIOCGPTN. The naive way of doing this is vulnerable to very basic race attacks where /dev/pts/$n is replaced with a different pseudo-terminal or other malicious file.

In order to provide a mechanism to mitigate this risk, Aleksa Sarai (@cyphar from SUSE) implemented TIOCGPTPEER back in 2017 to provide a race-free way of doing the last TIOCGPTN step by opening the peer end of the pseudo-terminal directly. However, at the time it was believed to be too impractical to implement this protection in runc due to its no-monitor-process architecture (unlike runtimes like LXC which made use of TIOCGPTPEER almost immediately). While working on this advisory, runc found a way to make TIOCGPTN usage on pre-4.13 kernels still safe against race attacks and so have implemented both TIOCGPTPEER support as well as safe TIOCGPTN support as a fallback.

Another possible target of attack would be replacing /dev/ptmx or /dev/pts/ptmx with a different inode and tricking runc into trying to operate on it. This is very similar to the core issue in CVE-2025-31133 and had a similar solution.

Runc's analysis was that while this attack appears to be potentially problematic in theory, it seems unlikely to actually be exploitable due to how consoles are treated (runc tries to do several pseudo-terminal-specific ioctls and will error out if they fail -- which happens for most other file types). In principle you could imagine a DoS attack using a disconnected NFS handle but it seems impractical to exploit. However, runc felt it prudent to include a solution (and this also provides a safe mechanism to get the source mount for the /dev/console bind-mount issue at the beginning of this advisory).

Patches

This advisory is being published as part of a set of three advisories:

  • CVE-2025-31133
  • CVE-2025-52881
  • CVE-2025-52565

The patches fixing this issue have accordingly been combined into a single patchset. The following patches from that patchset resolve the issues in this advisory:

  • db19bbed5348 ("internal/sys: add VerifyInode helper")
  • ff94f9991bd3 ("*: switch to safer securejoin.Reopen")
  • 531ef794e4ec ("console: use TIOCGPTPEER when allocating peer PTY")
  • 398955bccb7f ("console: add fallback for pre-TIOCGPTPEER kernels")
  • 9be1dbf4ac67 ("console: avoid trivial symlink attacks for /dev/console")
  • de87203e625c ("console: verify /dev/pts/ptmx before use")
  • 01de9d65dc72 ("rootfs: avoid using os.Create for new device inodes")
  • aee7d3fe355d ("ci: add lint to forbid the usage of os.Create")

runc 1.2.8, 1.3.3, and 1.4.0-rc.3 have been released and all contain fixes for these issues. As per runc's new release model, runc 1.1.x and earlier are no longer supported and thus have not been patched.

Mitigations

  • Use containers with user namespaces (with the host root user not mapped into the container's user namespace). This will block most of the most serious aspects of these attacks, as the procfs files used for the container breakout use Unix DAC permissions and user namespaced users will not have access to the relevant files.

An attacker would still be able to bind-mount host paths into the container but if the host uids and gids mapped into the container do not overlap with ordinary users on the host (which is the generally recommended configuration) then the attacker would likely not be able to read or write to most sensitive host files (depending on the Unix DAC permissions of the host files). Note that this is still technically more privilege than an unprivileged user on the host -- because the bind-mount is done by a privileged process, the attacker would be able to get access to directories whose parents may have denied search access (i.e., they may be able to access paths inside a chmod 700 directory that would normally block them from resolving subpaths).

Runc would also like to take this opportunity to re-iterate that runc strongly recommend all users use user namespaced containers. They have proven to be one of the best security hardening mechanisms against container breakouts, and the kernel applies additional restrictions to user namespaced containers above and beyond the user remapping functionality provided. With the advent of id-mapped mounts (Linux 5.12), there is very little reason to not use user namespaces for most applications. Note that using user namespaces to configure your container does not mean you have to enable unprivileged user namespace creation inside the container -- most container runtimes apply a seccomp-bpf profile which blocks unshare(CLONE_NEWUSER) inside containers regardless of whether the container itself uses user namespaces.

Rootless containers can provide even more protection if your configuration can use them -- by having runc itself be an unprivileged process, in general you would expect the impact scope of a runc bug to be less severe as it would only have the privileges afforded to the host user which spawned runc.

  • For non-user namespaced containers, configure all containers you spawn to not permit processes to run with root privileges. In most cases this would require configuring the container to use a non-root user and enabling noNewPrivileges to disable any setuid or set-capability binaries. (Note that this is runc's general recommendation for a secure container setup -- it is very difficult, if not impossible, to run an untrusted program with root privileges safely.) If you need to use ping in your containers, there is a net.ipv4.ping_group_range sysctl that can be used to allow unprivileged users to ping without requiring setuid or set-capability binaries.
  • Do not run untrusted container images from unknown or unverified sources.
  • The default containers-selinux SELinux policy mitigates this issue, as (unlike CVE-2025-31133) the /dev/console bind-mount does not get relabeled and so the container process cannot write to the bind-mounted procfs file by default.

Please note that CVE-2025-52881 allows an attacker to bypass LSM labels, and so this mitigation is not that helpful when considered in combination with CVE-2025-52881.

  • The default AppArmor policy used by Docker and Podman does not mitigate this issue (as access to /dev/console) is usually permitted. Users could create a custom profile that blocks access to /dev/console, but such a profile might break regular containers.

Please note that CVE-2025-52881 allows an attacker to bypass LSM labels, and so the mitigation provided with a custom profile is not that helpful when considered in combination with CVE-2025-52881.

Other Runtimes

As this vulnerability boils down to a fairly easy-to-make logic bug,runc has provided information to other OCI (crun, youki) and non-OCI (LXC) container runtimes about this vulnerability.

Based on discussions with other runtimes, it seems that crun and youki may have similar security issues and will release a co-ordinated security release along with runc. LXC appears to also be vulnerable in some aspects, but their security stance is (understandably) that non-user-namespaced containers are fundamentally insecure by design.

Credits

Thanks to Lei Wang (@ssst0n3 from Huawei) and Li Fubang (@lifubang from acmcoder.com, CIIC) for discovering and reporting the main /dev/console bind-mount vulnerability, as well as Aleksa Sarai (@cyphar from SUSE) for discovering Issues 1 and 2 and the original research into these classes of issues several years ago.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.2.7"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/opencontainers/runc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0-rc3"
            },
            {
              "fixed": "1.2.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.3.2"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/opencontainers/runc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.3.0-rc.1"
            },
            {
              "fixed": "1.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.4.0-rc.2"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/opencontainers/runc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4.0-rc.1"
            },
            {
              "fixed": "1.4.0-rc.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-52565"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-363",
      "CWE-61"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-05T17:34:49Z",
    "nvd_published_at": "2025-11-06T20:15:49Z",
    "severity": "HIGH"
  },
  "details": "### Impact ###\nThis attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). \n\nIn runc version 1.0.0-rc3 and later, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). \n\nThe reason that the attacker can gain write access to these files is because the `/dev/console` bind-mount happens before `maskedPaths` and `readonlyPaths` are applied.\n\n#### Additional Findings ####\nWhile investigating this issue, runc discovered some other theoretical issues that may or may not be exploitable, as well as taking the opportunity to fix some fairly well-known issues related to consoles.\n\n##### Issue 1: Problematic Usage of `os.Create` #####\nGo provides an `os.Create` function for creating files, which older code in runc (dating back to the original `libcontainer` from the early 2010s) had a tendency to use fairly liberally. `os.Create` implies `O_CREAT|O_TRUNC` but by design it does not apply `O_NOFOLLOW` nor `O_EXCL`, meaning if the target is swapped with a malicious symlink runc can be tricked into truncating host files (which can lead to denial of service attacks, among other concerns). \n\nRunc conducted an audit of all `os.Create` usages in runc and found some suspicious usages related to device inodes, but based on runc\u0027s testing these were not exploitable in practice. Runc now has custom code lints to block any `os.Create` usage in runc, and plan to do a further audit of any other plain `os.*` operation usage throughout runc after this advisory becomes public. \n\nCVE-2024-45310 was a similar attack but without the `O_TRUNC` component (which resulted in a \"Low\" severity) -- a similar attack being exploitable would\u0027ve been much more severe.\n\n##### Issue 2: Malicious `/dev/pts/$n` Inode Attacks (`TIOCGPTPEER`) #####\nThe (very) classic API for constructing consoles involves first opening `/dev/ptmx` for reading and writing. This allocates a new pseudo-terminal and the returned file descriptor is the \"master\" end (which is used by higher-level runtimes to do I/O with the container). \n\nTraditionally, in order to get the \"slave\" end, you do `ioctl(ptm, TIOCGPTN)` to get the pseudo-terminal number and then open the file in `/dev/pts/` with the corresponding base-10 decimal number of the number returned by `TIOCGPTN`. The naive way of doing this is vulnerable to very basic race attacks where `/dev/pts/$n` is replaced with a different pseudo-terminal or other malicious file. \n\nIn order to provide a mechanism to mitigate this risk, Aleksa Sarai (@cyphar from SUSE) implemented `TIOCGPTPEER` back in 2017 to provide a race-free way of doing the last `TIOCGPTN` step by opening the peer end of the pseudo-terminal directly. However, at the time it was believed to be too impractical to implement this protection in runc due to its no-monitor-process architecture (unlike runtimes like LXC which made use of `TIOCGPTPEER` almost immediately). While working on this advisory, runc found a way to make `TIOCGPTN` usage on pre-4.13 kernels still safe against race attacks and so have implemented both `TIOCGPTPEER` support as well as safe `TIOCGPTN` support as a fallback. \n\nAnother possible target of attack would be replacing `/dev/ptmx` or `/dev/pts/ptmx` with a different inode and tricking runc into trying to operate on it. This is very similar to the core issue in CVE-2025-31133 and had a similar solution. \n\nRunc\u0027s analysis was that while this attack appears to be potentially problematic in theory, it seems unlikely to actually be exploitable due to how consoles are treated (runc tries to do several pseudo-terminal-specific `ioctl`s and will error out if they fail -- which happens for most other file types). In principle you could imagine a DoS attack using a disconnected NFS handle but it seems impractical to exploit. However, runc felt it prudent to include a solution (and this also provides a safe mechanism to get the source mount for the `/dev/console` bind-mount issue at the beginning of this advisory).\n\n### Patches ###\nThis advisory is being published as part of a set of three advisories:\n\n  * CVE-2025-31133\n  * CVE-2025-52881\n  * CVE-2025-52565\n\nThe patches fixing this issue have accordingly been combined into a single patchset. The following patches from that patchset resolve the issues in this advisory:\n\n * db19bbed5348 (\"internal/sys: add VerifyInode helper\")\n * ff94f9991bd3 (\"*: switch to safer securejoin.Reopen\")\n * 531ef794e4ec (\"console: use TIOCGPTPEER when allocating peer PTY\")\n * 398955bccb7f (\"console: add fallback for pre-TIOCGPTPEER kernels\")\n * 9be1dbf4ac67 (\"console: avoid trivial symlink attacks for /dev/console\")\n * de87203e625c (\"console: verify /dev/pts/ptmx before use\")\n * 01de9d65dc72 (\"rootfs: avoid using os.Create for new device inodes\")\n * aee7d3fe355d (\"ci: add lint to forbid the usage of os.Create\")\n\nrunc 1.2.8, 1.3.3, and 1.4.0-rc.3 have been released and all contain fixes for these issues. As per [runc\u0027s new release model](https://github.com/opencontainers/runc/blob/v1.4.0-rc.2/RELEASES.md), runc 1.1.x and earlier are no longer supported and thus have not been patched.\n\n[CVE-2025-31133]: https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2\n[CVE-2025-52565]: https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r\n[CVE-2025-52881]: https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm\n[RELEASES.md]: https://github.com/opencontainers/runc/blob/v1.4.0-rc.2/RELEASES.md\n\n### Mitigations ###\n* Use containers with user namespaces (with the host root user not mapped into the container\u0027s user namespace). This will block most of the most serious aspects of these attacks, as the `procfs` files used for the container breakout use Unix DAC permissions and user namespaced users will not have access to the relevant files. \n\nAn attacker would still be able to bind-mount host paths into the container but if the host uids and gids mapped into the container do not overlap with ordinary users on the host (which is the generally recommended configuration) then the attacker would likely not be able to read or write to most sensitive host files (depending on the Unix DAC permissions of the host files). Note that this is still technically more privilege than an unprivileged user on the host -- because the bind-mount is done by a privileged process, the attacker would be able to get access to directories whose parents may have denied search access (i.e., they may be able to access paths inside a `chmod 700` directory that would normally block them from resolving subpaths). \n\nRunc would also like to take this opportunity to re-iterate that runc **strongly** recommend all users use user namespaced containers. They have proven to be one of the best security hardening mechanisms against container breakouts, and the kernel applies additional restrictions to user namespaced containers above and beyond the user remapping functionality provided. With the advent of id-mapped mounts (Linux 5.12), there is very little reason to not use user namespaces for most applications. Note that using user namespaces to configure your container does not mean you have to enable unprivileged user namespace creation *inside* the container -- most container runtimes apply a seccomp-bpf profile which blocks `unshare(CLONE_NEWUSER)` inside containers regardless of whether the container itself uses user namespaces. \n\nRootless containers can provide even more protection if your configuration can use them -- by having runc itself be an unprivileged process, in general you would expect the impact scope of a runc bug to be less severe as it would only have the privileges afforded to the host user which spawned runc. \n\n * For non-user namespaced containers, configure all containers you spawn to not permit processes to run with root privileges. In most cases this would require configuring the container to use a non-root user and enabling `noNewPrivileges` to disable any setuid or set-capability binaries. (Note that this is runc\u0027s general recommendation for a secure container setup -- it is very difficult, if not impossible, to run an untrusted program with root privileges safely.) If you need to use `ping` in your containers, there is a `net.ipv4.ping_group_range` sysctl that can be used to allow unprivileged users to ping without requiring setuid or set-capability binaries. \n * Do not run untrusted container images from unknown or unverified sources.\n * The default `containers-selinux` SELinux policy mitigates this issue, as (unlike CVE-2025-31133) the `/dev/console` bind-mount does not get relabeled and so the container process cannot write to the bind-mounted procfs file by default.\n\n   Please note that CVE-2025-52881 allows an attacker to bypass LSM labels, and so this mitigation is not that helpful when considered in combination with CVE-2025-52881.\n\n * The default AppArmor policy used by Docker and Podman does not mitigate this issue (as access to `/dev/console`) is usually permitted. Users could create a custom profile that blocks access to `/dev/console`, but such a profile might break regular containers.\n\n   Please note that CVE-2025-52881 allows an attacker to bypass LSM labels, and so the mitigation provided with a custom profile is not that helpful when considered in combination with CVE-2025-52881.\n\n[CVE-2025-31133]: https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2\n[CVE-2025-52881]: https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm\n\n### Other Runtimes ###\nAs this vulnerability boils down to a fairly easy-to-make logic bug,runc has provided information to other OCI (crun, youki) and non-OCI (LXC) container runtimes about this vulnerability.\n\nBased on discussions with other runtimes, it seems that crun and youki may have similar security issues and will release a co-ordinated security release along with runc. LXC appears to also be vulnerable in some aspects, but [their security stance][lxc-security] is (understandably) that non-user-namespaced containers are fundamentally insecure by design.\n\n[lxc-security]: https://linuxcontainers.org/lxc/security/\n\n### Credits ###\n\nThanks to Lei Wang (@ssst0n3 from Huawei) and Li Fubang (@lifubang from acmcoder.com, CIIC) for discovering and reporting the main `/dev/console` bind-mount vulnerability, as well as Aleksa Sarai (@cyphar from SUSE) for discovering Issues 1 and 2 and the original research into these classes of issues several years ago.",
  "id": "GHSA-qw9x-cqr3-wc7r",
  "modified": "2025-11-18T18:37:10Z",
  "published": "2025-11-05T17:34:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52565"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opencontainers/runc/commit/01de9d65dc72f67b256ef03f9bfb795a2bf143b4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opencontainers/runc/commit/398955bccb7f20565c224a3064d331c19e422398"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opencontainers/runc/commit/531ef794e4ecd628006a865ad334a048ee2b4b2e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opencontainers/runc/commit/9be1dbf4ac67d9840a043ebd2df5c68f36705d1d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opencontainers/runc/commit/aee7d3fe355dd02939d44155e308ea0052e0d53a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opencontainers/runc/commit/db19bbed5348847da433faa9d69e9f90192bfa64"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opencontainers/runc/commit/de87203e625cd7a27141fb5f2ad00a320c69c5e8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opencontainers/runc/commit/ff94f9991bd32076c871ef0ad8bc1b763458e480"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/opencontainers/runc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "runc container escape with malicious config due to /dev/console mount and related races"
}

GHSA-R2P4-XRGF-RXRX

Vulnerability from github – Published: 2024-03-28 21:30 – Updated: 2024-03-28 21:30
VLAI
Details

Dell PowerScale OneFS versions 8.2.2.x through 9.7.0.x contains an UNIX symbolic link (symlink) following vulnerability. A local high privileged attacker could potentially exploit this vulnerability, leading to denial of service, information tampering.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-25952"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59",
      "CWE-61"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-28T19:15:47Z",
    "severity": "MODERATE"
  },
  "details": "Dell PowerScale OneFS versions 8.2.2.x through 9.7.0.x contains an UNIX symbolic link (symlink) following vulnerability. A local high privileged attacker could potentially exploit this vulnerability, leading to denial of service, information tampering.",
  "id": "GHSA-r2p4-xrgf-rxrx",
  "modified": "2024-03-28T21:30:31Z",
  "published": "2024-03-28T21:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25952"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000223366/dsa-2024-115-security-update-for-dell-powerscale-onefs-for-multiple-security-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R2RX-5Q74-PPJP

Vulnerability from github – Published: 2025-05-12 21:31 – Updated: 2025-05-12 21:31
VLAI
Details

Client RCE on macOS and Linux via improper symbolic link resolution in Google Web Designer's preview feature

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-1079"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59",
      "CWE-61"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-12T20:15:21Z",
    "severity": "HIGH"
  },
  "details": "Client RCE on macOS and Linux via improper symbolic link resolution in Google Web Designer\u0027s preview feature",
  "id": "GHSA-r2rx-5q74-ppjp",
  "modified": "2025-05-12T21:31:09Z",
  "published": "2025-05-12T21:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1079"
    },
    {
      "type": "WEB",
      "url": "https://balintmagyar.com/articles/google-web-designer-symlink-client-side-rce-cve-2025-1079"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R6H2-5GQQ-V5V6

Vulnerability from github – Published: 2026-02-20 21:05 – Updated: 2026-02-23 22:29
VLAI
Summary
OpenClaw: Reject symlinks in local skill packaging script
Details

Vulnerability

skills/skill-creator/scripts/package_skill.py (a local helper script used when authors package skills) previously followed symlinks while building .skill archives.

If an author runs this script on a crafted local skill directory containing symlinks to files outside the skill root, the resulting archive can include unintended file contents.

Severity and Exposure

  • Severity: Low
  • Execution context: local/manual workflow only (skill author packaging step)
  • No remote trigger: this is not reachable via normal OpenClaw gateway/chat runtime paths
  • No extraction Zip Slip in this finding: this issue is limited to packaging-time symlink following

Impact

  • Potential unintentional disclosure of local files from the packaging machine into a generated .skill artifact.
  • Requires local execution of the packaging script on attacker-controlled skill contents.

Affected Components

  • skills/skill-creator/scripts/package_skill.py

Affected Packages / Versions

  • Package: openclaw (npm)
  • Latest published version during triage: 2026.2.17
  • Vulnerable version range: <= 2026.2.17
  • Planned patched version (next release): 2026.2.18

Remediation

  • Reject symlinks during skill packaging.
  • Add regression tests for symlink file and symlink directory cases.
  • Update packaging guidance to document the symlink restriction.

Fix Commit(s)

  • c275932aa4230fb7a8212fe1b9d2a18424874b3f
  • ee1d6427b544ccadd73e02b1630ea5c29ba9a9f0

Related PR

  • https://github.com/openclaw/openclaw/pull/20796

Release Process Note

patched_versions is pre-set to the planned next release (2026.2.18). Once npm openclaw@2026.2.18 is published, this advisory is ready to publish without additional edits.

Thanks @aether-ai-agent for reporting.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.2.18"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27485"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-61"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-20T21:05:45Z",
    "nvd_published_at": "2026-02-21T10:16:12Z",
    "severity": "MODERATE"
  },
  "details": "## Vulnerability\n\n`skills/skill-creator/scripts/package_skill.py` (a local helper script used when authors package skills) previously followed symlinks while building `.skill` archives.\n\nIf an author runs this script on a crafted local skill directory containing symlinks to files outside the skill root, the resulting archive can include unintended file contents.\n\n## Severity and Exposure\n\n- **Severity: Low**\n- **Execution context:** local/manual workflow only (skill author packaging step)\n- **No remote trigger:** this is not reachable via normal OpenClaw gateway/chat runtime paths\n- **No extraction Zip Slip in this finding:** this issue is limited to packaging-time symlink following\n\n## Impact\n\n- Potential unintentional disclosure of local files from the packaging machine into a generated `.skill` artifact.\n- Requires local execution of the packaging script on attacker-controlled skill contents.\n\n## Affected Components\n\n- `skills/skill-creator/scripts/package_skill.py`\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Latest published version during triage: `2026.2.17`\n- Vulnerable version range: `\u003c= 2026.2.17`\n- Planned patched version (next release): `2026.2.18`\n\n## Remediation\n\n- Reject symlinks during skill packaging.\n- Add regression tests for symlink file and symlink directory cases.\n- Update packaging guidance to document the symlink restriction.\n\n## Fix Commit(s)\n\n- `c275932aa4230fb7a8212fe1b9d2a18424874b3f`\n- `ee1d6427b544ccadd73e02b1630ea5c29ba9a9f0`\n\n## Related PR\n\n- https://github.com/openclaw/openclaw/pull/20796\n\n## Release Process Note\n\n`patched_versions` is pre-set to the planned next release (`2026.2.18`). Once npm `openclaw@2026.2.18` is published, this advisory is ready to publish without additional edits.\n\nThanks @aether-ai-agent for reporting.",
  "id": "GHSA-r6h2-5gqq-v5v6",
  "modified": "2026-02-23T22:29:30Z",
  "published": "2026-02-20T21:05:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-r6h2-5gqq-v5v6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27485"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/pull/20796"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/c275932aa4230fb7a8212fe1b9d2a18424874b3f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/ee1d6427b544ccadd73e02b1630ea5c29ba9a9f0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.19"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Reject symlinks in local skill packaging script"
}

GHSA-R6QV-FRPC-Q66C

Vulnerability from github – Published: 2026-03-18 18:31 – Updated: 2026-03-19 23:22
VLAI
Summary
Jenkins has a link following vulnerability allows arbitrary file creation
Details

Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins. This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.554"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.main:jenkins-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.555"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33001"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59",
      "CWE-61"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-19T12:46:21Z",
    "nvd_published_at": "2026-03-18T16:16:28Z",
    "severity": "HIGH"
  },
  "details": "Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins.\nThis can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.",
  "id": "GHSA-r6qv-frpc-q66c",
  "modified": "2026-03-19T23:22:20Z",
  "published": "2026-03-18T18:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/jenkins/commit/6dc99937605d5bddfeaae43a4cd14c2571e23adc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/jenkins"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/jenkins/releases/tag/jenkins-2.555"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins has a link following vulnerability allows arbitrary file creation"
}

Mitigation
Implementation

Symbolic link attacks often occur when a program creates a tmp directory that stores files/links. Access to the directory should be restricted to the program as to prevent attackers from manipulating the files.

Mitigation MIT-48.1
Architecture and Design

Strategy: Separation of Privilege

  • Follow the principle of least privilege when assigning access rights to entities in a software system.
  • Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-27: Leveraging Race Conditions via Symbolic Links

This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to them. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file they will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.